Stack overflow (stack exhaustion) not the same as stack buffer overflow

Stack overflow (stack exhaustion) not the same as stack buffer overflow

Periodically we get reports into the MSRC of stack exhaustion in client-side applications such as Internet Explorer, Word, etc. These are valid stability bugs that, fortunately, do not lead to an exploitable condition by itself (no potential for elevation of privilege). We wanted to clarify the distinction between stack exhaustion and stack buffer overflow. Stack buffer overflows often lead to elevation of privilege. Unfortunately, the literature tends to use stack overflow to refer to both cases, hence the confusion. The error code STATUS_STACK_BUFFER_OVERRUN (0xc0000409) refers to a stack buffer overflow while the error code STATUS_STACK_OVERFLOW (0xc00000fd) refers to stack exhaustion.

On Bugtraq this morning, there was a public post of a stack exhaustion bug that, fortunately, does not lead to arbitrary code execution. Let's take a closer look at it and a few other examples. We'll start with today's Bugtraq posting:

Again, the HTML has requested an extra-ordinary amount of stack space. IE attempts to allocate space and it eventually runs out. Unable to process the HTML, it returns a stack overflow / exhaustion error (0xc00000fd).

One last example is from April 2008 and, again, it leads to a stack overflow/exhaustion error (0xc00000fd):

As you can see, there are several ways of reaching a stack exhaustion condition. Fortunately, these are stability issues that by themselves cannot lead to remote code execution. This happens when a parsing client-side application cannot allocate enough stack space to complete an operation (as shown in the examples here where a web page was attempting to allocate as much stack as possible and eventually runs out of space).

We are always happy to triage bugs sent to secure@microsoft.com. Please send them in to us. We are definitely committed to engineering and security excellence. We evaluate every report and determine whether to service them as security issues or whether to hand them off to the product team to fix as reliability and stability issues. For each security issues, we will triage against the SDL bug bar (link to sample bug bar) and address via the MSRC security bulletin process. All issues (such as these stack exhaustion bugs) that are stability or reliability issues are triaged according to customer impact and addressed in future releases of the product.